The Privacy Rights
Clearinghouse (PRC) respectfully submits the following comments to the Federal
Trade Commission (Commission) regarding the proposed consent order between
Google and the FTC In the matter of Google Inc., File No. 1023136. [1]

The PRC is a non-profit consumer
privacy organization engaging in consumer education and advocacy. Over the
course of our 19-year history, PRC staff members have worked directly with tens
of thousands of consumers concerned about their privacy. Our comments regarding the proposed consent
order reflect, in large part, our observations based on direct communication
with individual consumers.

The Commission filed a
complaint against Google alleging a violation of the FTC Act concerning its
rollout of the Google Buzz social networking service. According to the complaint, Google violated
the FTC act by engaging in deceptive acts or practices when it represented
“that it used, and would use, information from consumers signing up for Gmail
only for the purpose of providing them with a web-based email service”[2]
and instead used the information to populate a new social network. Google also
failed to disclose to consumers what information would be public by default,
and allegedly deceived consumers as to their ability to decline enrollment in
Buzz. The complaint also alleged that Google misrepresented its compliance with
the U.S.-EU Safe Harbor Framework when it in fact did not adhere to the privacy
principles of Notice and Choice.[3]

The PRC supports the Commission’s
proposed consent order, and we hope to see it finalized in a manner that
imposes clearer privacy requirements on Google and creates meaningful privacy
protections for Google users. Given the
extensive scope of Google’s products and services, and the fact that the
agreement applies to them all, this proposed order arguably has the potential
to expand privacy protections for most Internet users.

“Express affirmative consent” should be defined within the consent
order and should extend beyond third parties

Part II of the settlement requires Google to obtain express
affirmative consent prior to sharing user information with any third party.[4] As a consumer privacy organization, we
advocate for consumer control over personal data, and believe that this portion
of the settlement may hold the most potential for concerned Google users. However, the settlement’s failure to define
“express affirmative consent” may do little to improve consumer choice. For example, this could potentially come in
the form of Google using pre-checked boxes so that the “express affirmative
consent” is effectively an opt-out rather than an opt-in. We therefore
encourage the Commission to adopt a definition of “express affirmative consent”
in the finalized consent order that will require Google to provide users with
clear, understandable, and meaningful choice in sharing information with third
parties.

Furthermore, due to Google’s size and pervasiveness, we urge
the commission to require “express affirmative consent” from consumers whenever
Google intends to use the information across its own products and
services. This is especially important
when it creates or acquires new products and/or services that may use the
information in a manner unanticipated by a user.

The Commission should enhance the requirements for maintaining a
“comprehensive privacy program”

Part III of the settlement requires Google to maintain a
comprehensive privacy program “designed to address privacy risks related to the
development and management of new and existing products and services for
consumers” and to “protect the privacy and confidentiality of covered
information.”[5] We
support the Commission’s requirement that Google maintain such a program, but urge
the Commission to require certain elements within the program that will help hold
Google accountable to its users.

For example, we believe that all Gmail and other cloud-based
products and services Google provides should encrypt data on a routine basis. Google
should also be subject to data retention limitations. Furthermore, Google should be required to
clearly disclose to its users its data retention policy, and the data it
collects, stores, and discloses to other parties or among its own products and
services. Users should be able to
control the use and collection of their data to the widest extent possible. The PRC believes that the requirements should
explicitly extend to Google’s mobile platform as well.

If the Commission does not add specific requirements to this
portion (Part III) of the settlement, Google may argue that its current
practices fall in line with the requirement as it stands, therefore potentially
negating the purpose of the consent order.

In conclusion, when finalizing its consent order with
Google, we urge the Commission to consider both defining “express affirmative
consent” and requiring it in situations extending beyond third party transactions,
and adding specific requirements for maintaining a “comprehensive privacy
program.”